Retro

Target IP: 10.10.56.98


Scanning

3c69e730e039f472659db750d891f7f3.png
Looks like only two ports are open on the target machine: HTTP and RDP.

bd68a17744932a1a5c54f2266d0866a7.png
The host is running Windows OS. The web server is IIS/10.0. This link mentions there are multiple vulnerabilities for this version of web server.


Enumeration

Port 80: HTTP
5de4b6ebf516932a86390b71f46c971b.png
Only a single directory exists called retro.
93c1a84483f8817198e9d7564a3ccb02.png
The directory fuzz result above shows the host is running WordPress application.
d62656f1b4f0bf3793ba8d33f60d6b09.png
The WordPress version is 5.2.1.

03c7ab386a0b02ef9fab30f7d7e079da.png
The webpage above is displayed when we visit the reto directory.

d05cf1021339e19e2db965ac48e2eb75.png
Doing a wpscan to enumerate users shows a user called wade exists.

a6efa975b1a4c922f604245bb7b825fd.png
Is this a password of wade?

da9d1c714919724630033962bf31b377.png
I was able to login to the WordPress using wade:parzival. We should be able to gain a reverse shell connection


Exploitation

e503758392afc0b9d94e214e6c693dbe.png
The payload that I will use. From manual enumeration, we know that the server is running PHP.

d9a7f30c6f2143bcf2cf9a4861906fd1.png
I put PHP Ivan Sincek reverse shell inside the 404.php file for twentysixteen theme.

6aaa2653e78dbc94a257a5c82de7f861.png
I started a listener on port 8443, browsed to http://10.10.56.98/retro/wp-content/themes/twentysixteen/404.php, and got a reverse shell connection back. Now I have a foothold on the Windows machine.


Privilege Escalation

b16c81d36ee706e1897ce30567e48b87.png
Using the credentials I obtained, I was able to RDP into the machine as wade.

a83189db88873182b0d0f540f5654836.png
91de76cdc99adae5995378a604f2d1d4.png
The OS Version seems to be 10.0.14393 N/A Build 14393.

b8ec911c2cfb3b3bdefaf9dd644938d5.png
Doing a Google search pointed to public exploit for this vulnerability.

e88ae98d6ee996fbb80c2d5eafe26117.png
I downloaded the exploit on my local machine and started a Python server. Then I transferred this exploit from my machine to the target machine using Powershell and ran it. And I gained full control of the machine.


Flags

c7eb85941659724c9341be2ac736964b.png
The user.txt flag once I used RDP to login as wade.

e8348fa209be045de4b1f8b6b07561ba.png
The root.txt flag once I gained an NT/Authority shell.